SecureMac, Inc.

Checklist 214: Five Big Mac Malware Stories from 2020

January 14, 2021

With a new year just underway, we thought we’d look back at five big Mac malware stories for 2020. We’ll talk about FinSpy, GravityRAT, XCSSET, ThiefQuest, and Shlayer.

Checklist 214: Five Big Mac Malware Stories from 2020

On this week’s Checklist, we’ll look back at 5 of the most important pieces of Mac malware from 2020 — and we’ll tell you what they mean for your security this year and beyond!


FinSpy is a commercial spyware tool sold to law enforcement agencies and governments all over the world. Until recently, it was not thought of as a threat to Mac users, but researchers at Amnesty International discovered a new, macOS variant of FinSpy in September of last year.

It’s true that most of us are unlikely to run into malware that’s being used by nation states or government agencies, but what’s significant here is that FinSpy was spread through Trojanized app installers, and relied on unpatched exploits and social engineering tactics to infect users.

The takeaway is that all users need to be following the sorts of basic best practices that we talk about on the Checklist so often:

  • Keep your OSes up to date and your software patched
  • Avoid software from unknown or untrusted sources
  • Handle all incoming emails and links with care 


GravityRAT is a spyware tool that can give the bad guys remote access to an infected system, allowing them to steal data or execute commands. Like FinSpy, GravityRAT has been around for a while — but as a Windows threat. However, last year researchers at Kaspersky found a new macOS variant of GravityRAT (along with some Android versions), changing the game for Mac users.

It seems that more and more malware authors are “porting” Windows and Linux malware to macOS, in much the same way that app and game developers do with legitimate software! In a way, this makes perfect sense: Developing malware takes time and effort, and for a long time, there just wasn’t much point in writing malware for macOS. However, as Macs become more prevalent, especially in the enterprise, that’s changing — which is probably why we’re seeing such a dramatic increase in Mac malware. Repurposing Windows malware for macOS is one quick and effective way to deploy “new” Mac malware, and so we expect to see more of this in the years to come.

In terms of staying safe:

  • Keep an eye out for “new to Mac” versions of Windows malware
  • When installing new software, pay close attention to your Mac’s system dialogs and warnings, especially if they have to do with code signing and notarization issues


XCSSET is a suite of malicious components that infects Xcode projects (Xcode being a macOS development tool). As such, this principally affects app developers, but it does raise an important concern for everyday Mac users as well.

XCSSET can steal credentials, exfiltrate data, and also has ransomware capabilities. Because developers often share Xcode projects, and use other people’s Xcode projects in their own work, there is a strong potential for XCSSET to spread from developer to developer, leading some to talk about the malware as a form of supply-chain attack.

In terms of what’s significant for everyday Mac users: bad actors are targeting devs directly, and are succeeding in their attacks. This basic approach — infect someone’s software and hope that some other target further downstream picks it up and uses it — is known as a supply-chain attack, and it’s definitely something for non-developers to be aware of.

The SolarWinds hack at the end of 2020 goes to show just how dangerous such attacks can be, but there are also less dramatic examples that normal computer users are more likely to encounter, such as e-skimmers.

Keeping safe is hard to do when someone else has been hacked — and when you actually trust that someone else to deliver malware-free software! But there is one important measure that you can take: Install an outbound firewall app like LuLu or Little Snitch. These tools monitor network traffic leaving your computer, and can help detect and block suspicious traffic. If you are infected by malware, a good firewall app may be able to stop the malware from “phoning home” to its command and control server and doing further damage.


ThiefQuest may sound like an adventure game, but don’t let the name fool you: It’s a powerful and sophisticated hybrid malware threat for macOS, containing ransomware, spyware, and data theft capabilities. 

ThiefQuest’s ransomware aspect alone would make it notable in the world of Mac malware, since ransomware is still relatively uncommon on macOS. But researchers who have looked closely at the malware say that the actual ransomware functionality is not very well implemented, and suggest that it may just be a smokescreen intended to distract victims from ThiefQuest’s true purpose: surveillance and data exfiltration.

Still, the malware is considered under development, meaning that a better-designed version may appear at some point in the future. And the fact that we’re starting to see new ransomware for macOS — even if it’s not very well made — is concerning. All Mac users should protect themselves from the threat of ransomware by performing regular backups of their systems and important files.

In addition, we should mention that ThiefQuest spreads through Trojanized versions of pirated software, which is a pretty common malware delivery vector. If you want to stay safe, don’t steal software! If you’re on a tight budget, and truly need a software program, consider searching for an open-source alternative instead.


The last entry on our list is Shlayer, which is definitely not new. In fact, it’s one of the most common types of macOS malware around, with some security experts estimating that the Shlayer family as a whole infects 1 in 10 Macs worldwide. 

So why include it in this list? Because in 2020, a new Shlayer variant was spotted “in the wild” — and this one had successfully passed Apple’s App Notarization process! App Notarization is basically an automated security check that inspects apps for malicious components and code-signing issues; all app developers have to submit their apps to the notarization service before they can run on macOS.

At least, that’s what’s supposed to happen. But last year, analysts found some Shlayer malware that had apparently made it through App Notarization somehow, and was running on macOS as legitimate software.

Bottom line? Everyday users need to remember that Mac malware is becoming more prevalent (and more sophisticated), and that Apple’s built-in security checks don’t always catch everything. This means that now more than ever, you are the best defense against bad things happening on your Mac. This means that you should: 

  • Learn how to spot phishing attacks and suspicious links
  • Follow best practices for safe downloads
  • Pay attention to system dialogs and alerts, and make sure you understand them before clicking through
  • Try to keep up with the latest Mac security news, either by following accounts on social media, on security news outlets, or by listening to security-themed podcasts like this one
  • Make use of third-party software, like outbound firewalls and malware detection and removal tools, in order to add an extra layer of security to your Mac

That brings us to the end of another Checklist. While you’re waiting for the next episode, take a moment to check out our show archives, or send us an email letting us know what security topics you’d like to see covered on a future Checklist!

Get the latest security news and deals